[pkg-apparmor] Bug#1120155: apparmor: GNOME Papers digital-signing failure caused by AppArmor profile restrictions

Cristiano Nunes cfgnunes at gmail.com
Thu Nov 6 06:20:47 GMT 2025 

Package: apparmor
Version: 4.1.0-1
Severity: normal
X-Debbugs-Cc: cfgnunes at gmail.com

Dear Maintainer,

While testing the “Sign Digitally” feature in GNOME Papers, I found that
the signing process fails due to AppArmor blocking access to several
paths required by NSS and by smartcard middleware.

I reproduced the same issue on Ubuntu as well and documented it here:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2106133

The audit log shows consistent AppArmor denials such as:

  - ~/.pki/nssdb/cert9.db             (file_lock)
  - ~/.mozilla/firefox/*/cert9.db     (read)
  - /run/pcscd/pcscd.comm             (connect)
  - /sys/devices/...                  (open)

Because of these denials, Papers cannot initialize NSS and shows errors
such as: “NSS_Init failed: security library: bad database.”

After testing, I confirmed that extending the AppArmor profile resolves
the issue and restores the digital-signature functionality. Adding the
following rules to `/etc/apparmor.d/usr.bin.papers` fixes the problem:

  owner @{HOME}/.pki/** lrk,
  /sys/devices/** r,
  /run/pcscd/pcscd.comm rw,

Since this behavior is caused by the AppArmor policy rather than by
Papers itself, it seems appropriate for the issue to be handled within
the `apparmor` package.

If possible, please consider adjusting the AppArmor profile in Debian so
that GNOME Papers can access the necessary NSS and smartcard paths by
default.

Best regards,
Cristiano Fraga G. Nunes


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.91
ii  libc6                  2.41-12

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles-extra  <none>
pn  apparmor-utils           <none>

-- debconf information:
  apparmor/homedirs:

More information about the pkg-apparmor-team mailing list